On Sat, Mar 04, 2006, Urjit Gokhale wrote: > Hi All, > > I have an echo server (a C application) which uses SSL. > In the serve, calling SSL_get_cipher() and SSL_get_cipher_version() after > SSL_accept() returns this: > ====== > SSL cipher is : DES-CBC3-SHA > SSL cipher version is : TLSv1/SSLv3 > ====== > > I would like to know how this default cipher suite is selected? > Is there any parameter in some configuration file? > Is it related to the certificate that the server/client uses? > > I used openssl's s_client utility to test the server. The initial output of > the s_client is in the file attached. >
The client sends a list of supported ciphersuites in preference order to the server during initial handshake. The server normally selects the highest preference cipher presented that it supports. I say "normally" because this can be overridden to allow the server preference to take precedence. The ciphersuites the server supports depends on a number of factors... 1. The type of certificates the server uses. Some require RSA some DSA others ECDSA. 2. Whether the server has a set of DH or ECDH parameters loaded. 3. Which ciphersuites are explicitly disabled by the cipher string. 4. Which ciphersuites are disable by the library compilation options: e.g IDEA support may not be compiled in. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
